FixVibe
Covered by FixVibemedium

Ukucushwa Kweheda Yokuvikeleka Okungenele

Izinhlelo zokusebenza zewebhu zivame ukwehluleka ukusebenzisa izihloko zokuphepha ezibalulekile, ezishiya abasebenzisi bechayeke ku-cross-site scripting (XSS), ukuchofoza, kanye nomjovo wedatha. Ngokulandela imihlahlandlela yokuphepha yewebhu emisiwe nokusebenzisa amathuluzi okuhlola njenge-MDN Observatory, onjiniyela bangakwazi ukwenza lukhuni izinhlelo zabo zokusebenza ngokumelene nokuhlasela okuvamile okusekelwe kusiphequluli.

CWE-693

Umthelela

Ukungabikho kwezihloko zokuphepha kuvumela abahlaseli ukuthi benze ukuchofoza, bantshontshe amakhukhi esikhathi, noma babhale umbhalo we-cross-site (XSS) [S1]. Ngaphandle kwale miyalo, iziphequluli azikwazi ukuphoqelela imingcele yezokuphepha, okuholela ekukhishweni kwedatha okungaba khona kanye nezenzo zomsebenzisi ezingagunyaziwe [S2].

Imbangela

Inkinga isukela ekuhlulekeni ukulungisa amaseva ewebhu noma izinhlaka zohlelo lokusebenza ukuze zifake izihloko zokuphepha ezijwayelekile ze-HTTP. Nakuba ukuthuthukiswa kuvame ukubeka phambili i-HTML esebenzayo ne-CSS [S1], ukulungiselelwa kokuvikela kuvame ukushiywa. Amathuluzi okuhlola anjenge-MDN Observatory aklanyelwe ukuthola lezi zendlalelo zokuzivikela ezingekho futhi aqinisekise ukuthi ukusebenzisana phakathi kwesiphequluli neseva kuvikelekile [S2].

Imininingwane Yezobuchwepheshe

Izihloko zokuphepha zinikeza isiphequluli iziqondiso ezithile zokuphepha ukuze sinciphise ubungozi obuvamile:

  • Inqubomgomo Yokuvikeleka Kokuqukethwe (CSP): Ilawula ukuthi yiziphi izinsiza ezingalayishwa, ivimbele ukusetshenziswa kombhalo okungagunyaziwe kanye nomjovo wedatha [S1].
  • I-Strict-Transport-Security (HSTS): Iqinisekisa ukuthi isiphequluli sixhumana kuphela ngoxhumo oluvikelekile lwe-HTTPS [S2].
  • Izinketho-ze-X-Frame: Ivimbela uhlelo lokusebenza ukuthi lunikezelwe ku-iframe, okuwukuzivikela okuyinhloko ekuchofozeni i-[S1].
  • Izinketho-Zohlobo-Okuqukethwe-X: Ivimbela isiphequluli ekuhumusheni amafayela njengohlobo oluhlukile lwe-MIME kunalolo olushiwo, imisa ukuhlasela kokuhogela kwe-MIME [S2].

I-FixVibe iyihlolela kanjani

I-FixVibe ingathola lokhu ngokuhlaziya izihloko zempendulo ye-HTTP yohlelo lokusebenza lwewebhu. Ngokulinganisa imiphumela ngokumelene namazinga e-MDN Observatory [S2], FixVibe ingamaka izihloko ezingekho noma ezingalungiswanga kahle ezifana ne-CSP, HSTS, kanye ne-X-Op-Frame.

Lungisa

Buyekeza iseva yewebhu (isb., i-Nginx, i-Apache) noma i-middleware yohlelo lokusebenza ukuze ufake izihloko ezilandelayo kuzo zonke izimpendulo njengengxenye yokuma okujwayelekile kokuphepha [S1]:

  • Inqubomgomo-Yokuphepha-Okuqukethwe: Khawulela imithombo yezisetshenziswa ezizindeni ezithenjwayo.
  • I-Strict-Transport-Security: Sebenzisa i-HTTPS nge-max-age ende.
  • Izinketho-Zohlobo-Okuqukethwe-X: Misa ku-nosniff [S2].
  • Izinketho-ze-X-Frame: Setha ku-DENY noma SAMEORIGIN ukuze uvimbele ukuntshontshwa kwe-[S1].